[Unconfirmed] Error 403 upon saving an EZ-Pages edit

[lynbor]

system Info:
cPanel Version 58.0 (build 20)
Apache Version 2.4.18
PHP Version 5.5.32
MySQL Version 5.6.31
Architecture x86_64
Operating System linux
Zen Cart v1.55a recently upgraded manually from 1.39h

I actually did 2 of these updates from 1.39h on the same server, two different domains. After updating I realized I had not kept out the easypages so I was in the process of adding them back into my 1.55a installation. I was doing this by opening the php files from my backup using a txt editor and then logged in as admin on the new ZC I would select to edit the appropriate file, click the SOURCE button and then paste in the old code from the txt editor. Then click the source button again to see that everything looked OK and then click SAVE.

This worked for most all my pages until I got to define_main_page.php page. The only difference that I could find with the contents of the home page is that it had several "HR" tags, and an img tag centered using a div statement.

I tried using the CKEdit and I tried switching it to plain text with the same results. I also tried editing the text to remove anything that might be causing a problem like class="main" inside many tags. (wasn't needed) and changing takes like [br /] to [br] just trying hard to figure out what was causing ZC to not want to save this particular page. Every time I clicked save I got the ERROR 403 server page.

Finally, I got the brilliant idea of just using my cpanel file manager to open the home page php file and paste my text in the file that way. That worked. I mean, it saved without error and when I view the home page it appears to be displaying just fine. Here is the code (please no comments on the bad HTML coding) ;-) This something that formed over many years.

Code:

<div style="text-align: center;"><img src="http://kwik-way.com/store2/images/categories/kw_cat_boxshot.jpg" /><br /><span style="font-weight: bold;">KWIK-WAY PRODUCTS ONLINE CATALOG</span><br /></div><hr />


<p style="font-family: arial,helvetica,sans-serif;"><font size="3" class="main">
You will find many of our most popular products available here. However, if you don't find 
what you are looking for, please call us at <b><font color="#ff0000" class="main">
+1-800-553-5953</font></b>. We have many more products and machines available that are not listed in this 
online store.</font></p>

<p style="font-family: arial,helvetica,sans-serif;"><font size="3" class="main"><font style="font-family: arial,helvetica,sans-serif;">If this is your first
visit here, please <a href="https://www.kwik-way.com/store2/index.php?main_page=login" style="font-weight: bold;"><font color="#000080" class="main"><u>click
here</u></font></a> to create an account. Once you have created an
account you can view prices and make purchases.</font></font></p><div style="text-align: center;"><font size="3" class="main" style="font-family: arial,helvetica,sans-serif;"><span style="font-weight: bold;">For
our International Customers</span>, please call in your order.</font><br /></div><font size="3" class="main" style="font-family: arial,helvetica,sans-serif;"><br /></font><div style="text-align: center;"><font size="4" class="main" style="font-family: arial,helvetica,sans-serif;"><span style="font-weight: bold;">Our Online
Store does NOT support orders to<br />International destinations at this
time.<br /></span></font><span style="font-weight: bold;">##<br /></span><hr style="width: 100%; height: 2px;" /><span style="font-weight: bold;"></span></div>
<p align="center" style="font-family: arial,helvetica,sans-serif;"><font size="4" class="main" style="font-family: arial,helvetica,sans-serif;"><b><i>DON'T BE SHY - 
WRITE A REVIEW</i></b></font></p>

<p style="font-family: arial,helvetica,sans-serif;"><font size="3" class="main" style="font-family: arial,helvetica,sans-serif;">
To write a review of a product simply click on the button that says &quot;Write Review&quot;,
 if you are not already logged into the system you will be asked to login before you
can write your review. While we would enjoy hearing your opinions on any of our products (good or bad), 
we do ask that you focus your comments on the particular product in question and refrain from using 
profanity or responding to other customer reviews that were made previously.</font></p>

Maybe it was the image tag being a URL rather than a referenced location??. Anyway, try it and see if it breaks your test bed if you like. I'm fixed (good enough) but I though this may help with your debug process for your code checking on the edit define pages.

Cheers..

[DrByte]

Symptomatically it sounds more like a quirk on the server with your hosting company's configuration for mod_security, which disallows submission of certain phrases (usually those related to writing SQL queries to attack a server database, but sometimes common everyday language might trigger those rules inadvertently).

Doesn't appear to be a bug in Zen Cart.
But you might want to apply the latest updates to the admin sanitization code as posted at: Known Bugs and Fixes

[lynbor]

OK, I may test some more if I get a little time and let you know what I discover. It was weird and reminded me of the problem I was having that caused me to perform the upgrade to 1.55a. product descriptions disappearing after clicking UPDATE. Thankfully that issue is gone, but clicking save after editing a define page and getting that error sure was unexpected. Oh well. Thanks for looking and the push to apply some new patches. :-)

[RodG]

Symptomatically it sounds more like a quirk on the server with your hosting company's configuration for mod_security, which disallows submission of certain phrases (usually those related to writing SQL queries to attack a server database, but sometimes common everyday language might trigger those rules inadvertently).

Agreed, and in this case, the suspect words/phrase is probably "create an account" (or more specifically, the words "create" and "account" appearing in that order.

I recently had to resolve a similar problem problem on a customers site.
The page read something like "We don't accept Western Union payments", then *much* further down the page was text that read "Please select a different shipping method"

The mod_sec rule was being triggered by "union <any amount of other text> select" (case insensitive).

Such fun.

Cheers
RodG